Device and method for authenticating user&#39;s access rights to resources

ABSTRACT

The present invention provides a device for authenticating user&#39;s access rights to resources, which comprises first memory means for storing challenging data, second memory means for storing unique identifying information of the user, third memory means for storing proof support information which is a result of executing predetermined computations to the unique identifying information of the user and unique security characteristic information of the device, response generation means for generating a response from the challenging data stored in the first memory means, the unique identifying information stored in the second memory means and the proof support information stored in the third memory means, and verification means for verifying the legitimacy of the response by verifying that the response, the challenging data and the unique security characteristic information of the device satisfy a specific predefined relation.

This is a Continuation-in-Part of Application Ser. No. 08/731,928, filedOct. 18, 1996, now abandoned.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a device for authenticating user'saccess rights to resources.

2. Discussion of the Related Art

Program execution control technologies are known in the field to whichthe present invention belongs. The program execution controltechnologies are technologies to:

-   -   1. Embed a routine for user authentication during the use of an        application program;    -   2. Have the routine examine whether the user attempting        execution of the application possesses a key for proper        authentication; and    -   3. Continue the program only when the existence of the key for        authentication is verified, otherwise to halt execution.

By using these technologies, execution of the application program isenabled only for proper users having the authentication key. Thetechnologies are commercialized in the software marketing field, twoexamples being Sentine/SuparPro (trade mark) from Rainbow Technologies,Inc. and HASP (trade mark) from Aladdin Knowledge Systems, Ltd.

In the use of program execution control technologies, a user whoexecutes software possesses an authentication key as user identificationinformation. The authentication key is a key for encryption and isdistributed to the user by a party who allows use of software, asoftware vender, for example. The authentication key is securely sealedin a memory, or the like, of hardware to prevent duplication, and isdelivered to the user using physical means such as the postal service.The user mounts personal computer/workstation using a designated method.When the user starts up the application program and when the executionof the program reaches the user authentication routine, the programcommunicates with the hardware in which the authentication key of theuser is embedded. Based on the results of the communication, the programidentifies the authentication key, and moves the execution to thefollowing step upon confirmation of existence of the correctauthentication key. If the communication fails and the verification ofthe existence of the authentication key is not established, the programstops automatically, discontinuing the execution of subsequent steps.

Identification of the authentication key by the user authenticationroutine is executed according to the following protocol, for example:

-   -   1. The user authentication routine generates and transmits an        appropriate number to the hardware in which the key is embedded.    -   2. The hardware in which the key is embedded encrypts the number        using the embedded authentication key and transmits it back to        the authentication routine.    -   3. The authentication routine determines whether or not the        number transmitted back is the number expected beforehand, or,        in other words, the number obtained by encrypting the number        with a correct authentication key.    -   4. If the number transmitted back coincides with the expected        number, the execution of the program is continued, otherwise the        execution is halted.    -   5. In this case, communication between the application program        and the hardware in which the authentication key is embedded        must be different for each execution even if it is between the        same location in the same application with the same hardware.

Otherwise, a user who does not possess the correct authentication keymay be able to execute the program by recording once the content ofcommunication during the normal execution process, and by responding tothe application program according to the recording each time thesubsequent program is executed. Such improper execution of theapplication program by replaying the communication content is called areplay attack.

In order to prevent a replay attack, in general, a random number isgenerated and used for each communication as the number to betransmitted to the hardware in which the key is embedded.

SUMMARY OF THE INVENTION

The present invention has been made in view of the above circumstancesand has an object to provide a device for authenticating user's accessrights to resources and its method which set both users and theprotecting side such as application providers free from inconveniencescaused by handling of large amount of unique information, for example, alot of authentication keys, and thereby user's access rights are easilyand simply authenticated when the execution control of the program,privacy protection of electronic mails, access control of files orcomputer resources and so forth are carried out.

Additional objects and advantages of the invention will be set forth inpart in the description which follows and in part will be obvious fromthe description, or may be learned by practice of the invention. Theobjects and advantages of the invention may be realized and attained bymeans of the instrumentalities and combinations particularly pointed outin the appended claims. To achieve the objects and in accordance withthe purpose of the invention, as embodied and broadly described herein,one aspect of a device for authenticating user's access rights toresources of the present invention comprises first memory means forstoring challenging data, second memory means for storing uniqueidentifying information of the user, third memory means for storingproof support information which is a result of executing predeterminedcomputations to the user unique identifying information and uniquesecurity characteristic information of the device, response generationmeans for generating a response from the challenging data stored in thefirst memory means, the unique identifying information stored in thesecond memory means and the proof support information stored in thethird memory means, and verification means for verifying the legitimacyof the response by verifying that the response, the challenging data andthe unique security characteristic information of the device satisfy aspecific predefined relation.

With the above constitution, the unique security characteristicinformation of the device assigned to the protecting side and the uniqueidentifying information of the user are made to be independent of eachother. The information on actual access rights is represented as proofsupport information (i.e., an access ticket). The user has the userunique identifying information in advance, and on the other hand, aprotector, such as a program creator prepares the unique securitycharacteristic information, or the counterpart of the unique securitycharacteristic information in terms of the public key cryptography,independent of the user unique identifying information held by the user.An access ticket is generated based on the user unique identifyinginformation and the unique security characteristic information used increation of the application program or the like. Access tickets aredistributed to the users, whereby authentication of the user's accessrights to resources such as execution control can be performed. Thuscomplexity occurring in the case where both sides of user and protectoruse the same information for performing authentication can be avoided.

Moreover, in the above constitution, at least the second memory meansand the response generation means may be confined in the protect meanswhich prevents any data inside from being observed or being tamperedwith from the outside. It may also be possible to implement at least thesecond memory means and the response generation means within a smallportable device such as a smart card.

The response generating means may comprise first calculation means andsecond calculation means, wherein the first calculation means executespredetermined calculations to the user unique identifying informationstored in the second memory means and the proof support informationstored in the third memory means to obtain the unique securitycharacteristic information as a result, and the second calculation meansexecutes predetermined calculations to the challenging data stored inthe first memory means and the unique security characteristicinformation calculated by the first calculation means to generate theresponse as a result of calculation.

The above-described response generation means may comprise thirdcalculation means, fourth calculation means and fifth calculation means.The third calculation means executes predetermined calculations to thechallenging data stored in the first memory means and the proof supportinformation stored in the third memory means, the fourth calculationmeans executes predetermined calculations to the challenging data storedin the first memory means and the user unique identifying informationstored in the second memory means, and the fifth calculation meansexecutes predetermined calculations to the results of calculation by thethird and fourth calculation means, whereby the response is generated.In this case, at least the second memory means and the fourthcalculation means can be confined within the protect means whichprevents any data inside from being observed or being tampered with fromthe outside. At least the second memory means and the fourth calculationmeans may be implemented within a small portable device such as a smartcard.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification illustrate embodiment of the invention and,together with the description, serve to explain the objects, advantagesand principles of the invention. In the drawings:

FIG. 1 is a block diagram showing an example of the fundamentalconstitution of the present invention;

FIG. 2 is a block diagram showing an example of the constitution of thepresent invention in case that an entire device is implemented within asingle PC;

FIG. 3 is a block diagram showing the constitution of a first embodimentof a device for authenticating user's access rights to resourcesaccording to the present invention;

FIG. 4 is a flow chart showing functions of means constituting thedevices of the first embodiment;

FIG. 5 is a block diagram showing the constitutions of a verificationdevice and a proving device of a second embodiment of the device forauthenticating user's access rights to resources according to thepresent invention;

FIG. 6 is a flow chart showing functions of means constituting theverification device of the second embodiment;

FIG. 7 is a block diagram showing a constitutional example of executionmeans of the verification means of the second embodiment;

FIG. 8 is a flow chart showing functions of the constitutional exampleof the execution means shown in FIG. 7;

FIG. 9 is a block diagram showing a second constitutional example ofexecution means of the verification means of the second embodiment;

FIG. 10 is a flow chart showing functions of the constitutional exampleof the execution means shown in FIG. 9;

FIG. 11 is a block diagram showing a third constitutional example ofexecution means of the verification means of the second embodiment;

FIG. 12 is a flow chart showing functions of the constitutional exampleof the execution means shown in FIG. 11;

FIG. 13 is a block diagram showing a fourth constitutional example ofexecution means of the verification means of the second embodiment;

FIG. 14 is a flow chart showing functions of the constitutional exampleof the execution means shown in FIG. 13;

FIG. 15 is a block diagram showing the constitution of a proving deviceof a third embodiment of the device for authenticating user's accessrights to resources according to the present invention;

FIG. 16 is a flow chart showing functions of means constituting theproving device of the third embodiment;

FIG. 17 is a block diagram showing a constitutional example of a fourthembodiment of the device for authenticating user's access rights toresources according to the present invention;

FIG. 18 is a block diagram showing another constitutional example of thefourth embodiment;

FIG. 19 is a flow chart showing functions of means of the constitutionalexample shown in FIG. 17;

FIG. 20 is a block diagram showing the constitution of a fifthembodiment of the device for authenticating user's access rights toresources according to the present invention;

FIG. 21 is a flow chart showing functions of means constituting averification device of the fifth embodiment;

FIG. 22 is a block diagram showing the constitution of a sixthembodiment of the device for authenticating user's access rights toresources according to the present invention;

FIG. 23 is a flow chart showing functions of means constituting devicesof the sixth embodiment;

FIG. 24 is a block diagram showing the constitution of a seventhembodiment of the device for authenticating user's access rights toresources according to the present invention;

FIG. 25 is a flow chart showing functions of means constituting devicesof the seventh embodiment; and

FIG. 26 is a block diagram showing a part of constitution of a provingdevice of ninth and tenth embodiments of the device for authenticatinguser's access rights to resources according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

At first, an example of the fundamental constitution of the presentinvention is described. The user authentication system of the examplecan be applied to privacy protection of electronic mails or control ofaccess to files or computer resources as well a s control of executionof applications.

In FIG. 1, the user authentication system comprises a verificationdevice 10 and a proving device 11: the proving device 111 receives anaccess ticket (proof support data) from an access ticket generationdevice 12; the verification device 10 executes a verification routine15; the proving device 11 retains user identifying information 16 andthe access ticket 13 and executes a response generation program 17.

The access ticket generation device 12 is installed in the protectorside, such as an application provider. The access ticket generationdevice 12 generates the access ticket 13 based on unique securitycharacteristic information of the device 14 and the user identifyinginformation 16 and the access ticket 13 is forwarded to the user throughcommunication or sending of a floppy-diskette or the like to be retainedby the proving device 11 of the user. Then the verification devices 10sends challenging data 18 to the proving device 11. The proving deice181 generates a response 19 by utilizing the access ticket 13 and theuser identifying information 16, and returns it to the verificationdevice 10. The verification device 10 verifies the legitimacy of theresponse based on the challenging data, that is, the verification device10 verifies that the response has been generated based on thechallenging data and the unique security characteristic information ofthe device.

If the legitimacy of the response is verified, the access rights of theuser is authenticated; accordingly, continuation of execution of aprogram, access to files, and so forth, are permitted.

With the above constitution, an example of execution control of anapplication program is now described.

In the above constitution, a user of an application program retains onlyone piece of user identifying information 16. The user identifyinginformation is equivalent to a password in the password authenticationand is unique, significant information which identifies the user. If itis possible for the user to copy and distribute the user identifyinginformation 16, it will lead to the use of the application program bythe user without legitimate access rights; therefore, the useridentifying information 16 is protected by protection means so that eventhe user who is a legitimate owner of the user identifying information16 cannot steal it. The protection means may be a hardware with aprotecting effect (hereinafter referred to as tamper-resistant hardware)against theft of the inside conditions by external probes. A method ofimplementation of the tamper-resistant hardware will be described later.

In addition to the user identifying information 16, the responsegeneration program 17 which executes predetermined computations isprovided to the user. The program 17 performs communication with a userauthentication routine (verification routine 15): on receiving twoparameters, namely, the user identifying information 16 and the accessticket 13, the program 17 executes computations to arbitrary inputtedvalues to generate the response 19 for identifying the user. The useridentifying information 16 is used in the course of the computation, andit is required to protect at least a part of the program 17 by theprotection means since leakage of the user identifying information 16 tothe outside will cause a problem by the above-described reason.

Hereinafter, memory means for storing the user identifying informationand a part of the program which are protected by the protection means,device for executing the part of the program (for example, consisting ofa memory and a MPU) and the protection means are integrally referred toas token (shown by the reference numeral 20 in FIG. 1). The token mayhave portability, like a smart card.

Similar to the conventional execution control technologies, theverification routine 15 is set to the application program. Theverification routine 15 is same as that of the conventional technologiesin that it communicates with the response generation program 17 retainedby the user, and continues execution of the program if and only if areturned result (response 18) is correct. Therefore, it is necessarythat the program creator knows the method of computing the combinationof transferred data (challenging data 18) and correct returned datacorresponding thereto (response 19).

Some examples of functions of the verification routine 15 are explainedas follows:

-   -   1. Data to be transferred (challenging data 18) and expected        returned data (expected value) are embedded in the verification        routine 15. The verification routine 15 fetches the data to be        transferred and transfers it to the user, and receives the        returned data from the user. Then the verification routine 15        compares the returned data from the user with the expected        value: if they are identical with each other, the verification        routine 15 executes the next step of the program; if they are        not identical, the verification routine 15 halts the execution        of the program.

In the case where the returned data is assumed to be a result ofencryption of the transferred data in accordance with a predeterminedencryption algorithm, the unique security characteristic information ofthe device is an encryption key.

2. Data to be transferred (challenging data 18) and data generated byapplying a one-way function to expected returned data (expected value)are embedded in the verification routine 15. The verification routine 15fetches the data to be transferred and transfers it to the user, andreceives the returned data from the user. Then the verification routine15 compares data generated by applying the one-way function to thereturned data from the user with the expected value: if they areidentical with each other, the verification routine 15 executes the nextstep of the program; if they are not identical, the verification routine15 halts the execution of the program.

In the case where the returned data is assumed to be a result ofencryption of the transferred data in accordance with a predeterminedencryption algorithm, the unique security characteristic information ofthe device is an encryption key.

3. Protection is provided by encrypting a part of code of theapplication program in accordance with a predetermined encryptionalgorithm so that execution of the program may be impossible. Theverification routine 15 transfers the encrypted code to the user andreceives returned data from the user, and then replace the receivedvalue with the encrypted code.

With this constitution, execution of the program may be possible if andonly if the returned data is a correct decryption of the encrypted code.In this case, the unique security characteristic information is adecryption key for decrypting the encrypted code.

4. Protection is provided by encrypting a part of code of theapplication program in accordance with a predetermined encryptionalgorithm so that execution of the program may be impossible. Moreover,data generated by encrypting a decryption key paired with the encryptionkey used for encrypting the code is embedded as transferred data in theverification routine 15. The verification routine 15 transfers theencrypted decryption key to the user and receives returned data from theuser, and then decrypts the encrypted code with the value of thereceived data as a decryption key.

With this constitution, the encrypted code is correctly decrypted if andonly if the returned data is a decryption key which has been correctlydecrypted, and accordingly execution of the program becomes possible. Inthis case, the unique security characteristic information of the deviceis a decryption key for decrypting the encrypted decryption key.

In the conventional execution control technologies, the user identifyinginformation (authentication key of the user) is identical with theunique security characteristic information of the device. Theconventional response generation routine receives the unique securitycharacteristic information and the data transferred from theverification routine as the input, and then executes computationsthereto for generating data to be returned.

By contrast, the present invention is characterized in that the useridentifying information 16 and the unique security characteristicinformation of the device 14 are independent of each other. In thisconstitutional example, the response generation program 17 adds theaccess ticket 13 to the user identifying information 16 and the datatransferred from the verification routine 15 (challenging data 18) asthe input, and then executes predetermined computations to them forgenerating the data to be returned (response 19). The constitution hasthe following properties:

1. The access ticket 13 is the data calculated based on the specificuser identifying information 16 and the unique security characteristicinformation of the device.

2. At least from the viewpoint of the computation amount, it isimpossible to calculate the unique security characteristic informationfrom the access ticket 13 without knowing the user identifyinginformation 16.

3. The response generation program 17 executes computations forgenerating correct data to be returned if and only if a correctcombination of the user identifying information 16 and the access ticket13. Note that the access ticket 13 has been calculated based on the useridentifying information 16.

With the constitution described so far, the execution control can becarried out by the following steps: the user has the user identifyinginformation 16 in advance; the program creator prepares the applicationprogram independent of the user identifying information 16 retained bythe user; and the program creator generates the access ticket 13 basedon the user identifying information 16 and the unique securitycharacteristic information of the device 16 used in creating theapplication program and distributes the access ticket 13 to the user.

It may be possible to constitute the user identifying information 16 bytwo pieces of user identifying information for distinguishing theinformation used for preparing the access ticket 13 from the informationused in a communication program by the user. In the most representativeexample, the user identifying information 16 is made to be a public keypair: the public key is published to be used for generating the accessticket; and the individual key is confined within the token 20 as user'sindividual secret information. In this case, it is possible to calculatethe access ticket 13 while the user identifying information 16 is keptsecret by calculating the access ticket 13 from the unique securitycharacteristic information 14 and the public key of the public key pair.

First Embodiment

In a first embodiment, an access ticket t is defined as the relation(1).t=D−e+ωφ(n)  (1)

In the following bulleted paragraphs, symbols used in the above relationare described.

-   -   An integer n is an RSA modulus, hence, a product of two very        large prime numbers p and q (n=pq).    -   φ(n) denotes the Euler number of n, hence, a product of two        integers p−1 and q−1 (φ(n)=(p−1)(q−1)).    -   A piece of user identifying information e is an integer        allocated to each user. A piece of user identifying information        is unique to a user: a different user identifying information is        allocated to a different user.    -   An access-ticket secret key D is a private key of an RSA public        key pair. Since the modulus is assumed to be n, the relation 2        is derived from the definition.        gcd (D, φ(n))=1   (2)        -   In the above, gcd (x, y) denotes the greatest common divisor            of two integers x and y. The existence of an integer E            satisfying the relation (3), which is called an            access-ticket public key, is derived from the relation (2).            ED mod φ(n)=1   (3)    -   ω is an integer dependent upon both n and e. It is required that        a probably different value will be allocated to ω if at least        one of n and e is different. In defining ω in a consistent        manner, a one-way hash function h may be used.        ω=h(n|e)   (4)        -   In the relation (4), n|e denotes the concatenation of the            two bitstring representations of n and e. A one way hash            function h is a function having the property that it is            extremely difficult to calculate two distinct x and y            satisfying h(x)=h(y). Known examples of one-way hash            functions are the MD2, MD4 and MD5 of RSA Data Securities            Inc., and the standard SHS (Secure Hash Standard) of the            U.S. federal government.

Among the above numbers, t, E and n can be open to public without anyrisk, while the rest of the numbers, namely D, e, ω, p, q and φ(n), areto be kept secret to everybody but those who are allowed to generate anaccess ticket. FIG. 3 depicts the constitution of the first embodiment.A verification device 10 comprises the followings: an access ticketpublic key storing means 101; a random number generation means 102; arandom number storing means 103; a response storing means 105; averification means 106; an execution means 107; and an error trappingmeans 108. On the other hand, a proving device 11 comprises thefollowings: a challenging data storing means 111; a first calculationmeans 112; an access ticket storing means 113; a second calculationmeans 114; a user identifying information storing means 115; and aresponse generation means 116.

By the following numbered paragraphs, the function of the meansconstituting the devices will be described.

-   -   1. The verification device 10 is invoked by a user. The way to        invoke the device varies depending upon how the device is        implemented. A few examples are now shown. First, the        verification device 10 may be implemented as a part of an        application program to be installed and executed on a user's PC        or workstation. In this case, the user may invoke the        verification device 10 by invoking the application program in        ordinary ways. For example, the user may click the iconic symbol        representing the application program on the computer screen with        a pointing device such as a mouse, or may use a keyboard. The        verification device 10 may be implemented as a program installed        and executed on a server computer that is connected to a user's        PC or workstation by means of computer network. In this case, in        order to invoke the verification device 10, a user first invokes        a communication program installed on his/her own PC or        workstation: the communication program establishes a connection        to the server, and asks the server to invoke the verification        device 10. When the communication program and the server follow        the TCP/IP protocols, for instance, the verification device 10        is allocated to a predefined port number on the server computer.        When the communication program issues a requirement for        establishing a connection to the port, inetd, a demon program        running on the server computer, receives the requirement. After        checking which program is allocated to the specified port, it        finally invokes the verification device 10, and establishes a        connection between the verification device and the communication        program. This way of implementation is very common in net worked        computer systems like Internet. The verification device 10 may        be implemented as a program written on a ROM or EEPROM within a        smart card reader-writer. In this case, the proving device 11 is        a program installed on an IC chip of a smart card; the        verification device 10 is invoked whenever a user inserts        his/her smart card into the smart card reader-writer.    -   2. The verification device 10 sends challenging data C and a        modulus n to the challenging data storing means 111 of the        proving device 11. The modulus n is stored in the access-ticket        public key storing means 101. On the other hand, challenging        data C is generated as follows: the random number generation        means 102 generates a random integer r so that r and the modulus        n are relatively prime (gcd(r, n)=1); the generated random        integer r is stored in the random number storing means 103;        finally, the random number generation means 102 sets the value        of C to r. As stated later in more detail, the response which        the proving device 11 is to respond to the verification device        10 is RSA-encryption of r with D as the key and n as the        modulus. Since the value of C is identical to the random integer        r, it varies with occurrence of communication between the        verification device 10 and the proving device 11. This prevents        so-called replay attack from succeeding.    -   3. The first calculation means 112 of the proving device 11        calculates an intermediate result R′ according to the relation        (5). An access ticket t to be used is stored in the access        ticket storing means 113.        R′=C′ mod n   (5)    -   4. The second calculation means 114 of the proving device 11        calculates a differential S according to the relation (6). A        user identifying information e to be used is stored in the user        identifying information storing means 115.        S=C^(e) mod n   (6)    -   5. Receiving R′ and S from the first calculation means 112 and        the second calculation means 114, the response generation means        116 of the proving device 11 calculates a response R according        to the relation (7).        R=R′S mod n   (7)    -   6. The proving device 11 returns the generated response R to the        response storing means 105 of the verification device 10.    -   7. The verification means 106 of the verification device 10        first performs the calculation (8). Both the exponent E and the        modulus n are stored in the access ticket public key storing        means 101, and the response R is stored in the response storing        means 105.        R^(E) mod n   (8)    -   Finally, the verification means 106 examines the relation (9).        C mod n=R^(E) mod n   (9)    -   If the relation (9) holds, the verification means invokes the        execution means 107. The execution means 107 provides a user        with utilities that he/she wanted to access to. Otherwise, it        invokes the error trapping means 108. The error trapping means        108 may deny user access by terminating the execution.

Second Embodiment

A second embodiment to be described is the same as the first embodimentregarding the definition of an access ticket t and the function of theproving device. However, the verification device works differently. Thedifference in the roles between challenging data C and a response Rcauses the difference in the function between the two embodiments: inthe first embodiment, a response R is encryption of a random challengingdata C; in the second embodiment, a response R will be decryption ofchallenging data C which is encryption of some other meaningful data.

FIG. 5 depicts the constitution of devices of the second embodiment, andFIG. 6 depicts flow of data. A verification device 10 comprises thefollowing means: an access ticket public key storing means 101; a randomnumber generation means 102; a random number storing means 103; aresponse storing means 105; a randomizing means 121; a challenge seedstoring means 122; a de-randomizing means 123; and an execution means310. A proving device 11 comprises the following means: a challengingdata storing means 111; a first calculation means 102; an access ticketstoring means 113; a second calculation means 114; a user identifyinginformation storing means 115; and a response generation means 116.

By the following numbered paragraphs, the function of the meansconstituting the devices will be described step by step.

-   -   1. The verification device 10 is invoked by a user.    -   2. The verification device 10 sends challenging data C and a        modulus n to the challenging data storing means 111 of the        proving device 11. The modulus n is stored in the access ticket        public key storing means 101. On the other hand, challenging        data C is generated by carrying out the following steps: the        random number, generating means 102 generates a random integer r        so that r and the modulus n are relatively prime (gcd (r, n)=1);        the random integer r is stored in the random number storing        means 103; the randomizing means 121 generates challenging data        C according to the relation (10).        C=r^(E)C′ mod n   (10)        -   The integer C′ is stored in the challenge seed storing means            122, and satisfies the relation (11) for some data K.            C′=K^(E) mod n   (11)        -   The exponent E (access ticket public key) and the modulus n            are both stored in the access ticket public key storing            means 101. The verification device 10 retains encryption C′            of K instead of K itself. In fact, C′ is RSA encryption of K            with a public key E and a modulus n. This has an advantage            in the viewpoint of security: the data K crucial for            authentication procedures never leaks from the verification            device 10. The randomness of r also plays an important role:            if r were identical to some secret constant, the challenging            data C would be encryption of the data K up to a constant            coefficient, and therefore the response which the proving            device 11 generates would be K up to a constant coefficient;            thus, constant r would allow replay attacks since            communication between the verification device 10 and the            proving device 11 would be always identical. In this            embodiment, by/generating challenging data C so that it is            dependent on a random number r (see the relation (10)),            communication between the verification device 10 and the            proving device 11 occurs with variation, and therefore            attempts of replay attack become hopeless.    -   3. The first calculation means 112 of the proving device 11        calculates an intermediate result R′ according to the relation        (12).        R′=C^(t) mod n   (12)        -   In course of calculation, the means uses the access ticket t            stored in the access ticket storing means 113.    -   4. The second calculation means 114 of the proving device 11        calculates a differential S according to the relation (13).        S=C^(e) mod n   (13)        -   In course of calculation, the means uses the user            identifying information e stored in the user identifying            information storing means 115.    -   5. Receiving the intermediate result R′ and the differential S        from the first calculation means 112 and the second calculation        means 114, the response generation means 116 of the proving        device calculates a response R according to the relation (14).        R=R′S mod n   (14)    -   6. The proving device 11 returns the generated response R to the        response storing means 307 of the verification device 10.    -   7. The de-randomizing means 307 of the verification device 10        calculates K′ according to the relation (15).        K′=r⁻¹R mod n   (15)        -   In course of calculation, the means uses the random number r            stored in the random number storing means 103 and the            response R stored in the response storing means 105. Note            that the values K′ and K are identical with each other, if            and only if the proving device 11 calculated the response R            based on a right pair of an access ticket t and a user            identifying information e. Finally, the de-randomizing means            123 sends K′ to the execution means 310, and the execution            means 310 executes predefined procedures using this given            K′. The execution means 310 is designed so that it works            properly only when K′ is identical with K; otherwise it            fails to work.

The following paragraphs describes several examples of implementation ofthe execution means 310.

-   -   1. FIG. 7 depicts a first example. A memory means 310a of the        execution means 310 retains the data K. Receiving K′ from the        de-randomizing means 123, a comparison means 310b directly        examines the equality K=K′. If the equality does not hold, the        execution means 310 suspends its performance immediately.        Otherwise, the execution means 310 continues its performance and        provides users with utilities. This example includes the        disadvantage caused from the fact that the data K critical for        authentication procedures appears as it is in the device: when a        computer program to be installed and executed on a user's PC or        workstation is implemented on the execution means 310, it is not        impossible for a user to find out the value K by analyzing the        code of the application program. The value K is crucial,        because, if once the user knows the value of K, and further if        he/she can predict random number sequences to be generated by        the random number generation means 102, he/she can construct a        device simulating the proving device 10 without any of an access        ticket and a user identifying information e. In other words,        anybody could pass the authentication check by the verification        device 10 with this simulator, whether he/she is authorized or        not.    -   2. FIG. 9 depicts a second example. In this example, a memory        means 310a retains h(K), instead of K, which is a value obtained        by applying a one-way hash function h to K. A significant        property of one-way hash functions is that it is computationally        impossible to calculate x satisfying y=h(x) given y. Receiving        K′ from a de-randomizing means 123, a hashing means 310c        calculates h(K′) which is the result of applying the one-way        hash function h to K′. Then, the comparison means 310b examines        the identity of this h(K′) and the value stored in the memory        means 310a (=h(K)). Compared with the first example, this        example is safer since there is no effective means to find out        the critical data K: even though a user succeeded in analyzing        the code of the program constituting the execution means 310,        he/she couldn't find out any more than the value of h(K); due to        the property of one-way hash functions, it is computationally        impossible to calculate K given h(K). However, when the        execution means 310 is implemented as a computer program, the        comparison means 310b may be represented as an if-clause. If the        verification device is further assumed to be executed on a        user's PC or workstation, a user may have a chance to modify the        code so that the if-clause shall be always skipped. Therefore,        the implementation of the this example is not safe enough, in        particular, if the execution means 310 is implemented as a        computer program to be executed on a user's PC or workstation.    -   3. FIG. 11 depicts a third example. This time, protection is        applied such that execution of the program of the execution        means 310 becomes impossible by encrypting a portion or the        whole of the code of the program. The encrypted code is stored        in the challenge seed storing means 122 as a seed C′ for        challenging data C. More precisely, the crucial data K is        program code to be encrypted, and C′ is RSA encryption of the        code K with a public key E and a modulus n (C=K^(E) mod n). Both        E and n are the values stored in the access ticket public key        storing means 101. The execution means 310 includes a code        storing means 310d, a code loading means 310e and a code        execution means 310f. The code loading means 310e feeds K′,        which the code storing means 310d received from the        de-randomizing means 123, to the code execution means 310f. Only        when K′ is identical with K, the code fed to the code execution        means 310f is meaningful as a part of the program of the        execution means 310. In the following, a more detailed        description of the composition is provided. Consider the case        where the execution means 310 is implemented as a computer        program executed on a user's PC or workstation. The code storing        means 310d is a specified region within a memory of a user's PC.        The code execution means 310f comprises the CPU and OS of the        PC. The CPU and OS, cooperating with each other, fetch        instructions form a certain predefined region within the memory        space (called program region), and executes those instructions        one by one. Generally speaking, a meaningful chunk of        instructions is called a program, and a program is located        within the program region. The entity of the code loading means        310e is a part of the program constituting the execution means        310, and it is to be executed at first when the execution means        310 is invoked. When invoked, the code loading means 310e orders        the code execution means 310f to copy the content stored in the        code storing means 310d onto a specified area within the program        region, and then orders the code execution means 310f to execute        the copied sequence of instructions by issuing a JMP command,        for example. Thus, since a part or the whole of the code of the        program of the execution means 310 is encrypted, and further        since it is decrypted temporarily only when the verification        device 10 and the proving device 11 cooperate with each other        properly, the execution means 310 is much safer than in the        cases of the preceding two examples: even though a user        succeeded in analyzing the program, he/she couldn't obtain the        missing code K at all; modifying the code of the program without        the knowledge about K is definitely no use.    -   4. FIG. 13 depicts a fourth example. This example is        substantially the same as the third example except that K is the        encryption key used in encrypting code of the program        constituting the execution means 310, while K is the code itself        in the previous example. Since the code to be encrypted may be        of large size, according to the composition of the third        example, the size of K (namely, that of C′ and C) may be large        enough to make the performance of the verification device 10 and        the proving device 11 worse. In contrast, according to the        composition of the fourth example, the size of K (namely, that        of C′) remains unchanged irrespective of the size of the program        code to be encrypted: the size of K is determined by the cipher        algorithm to be used; if DES (Data Encryption Standard) is used,        K is always 64 (56) bits long even when the size of the code to        be encrypted is measured by Mbyte. The execution means 310        comprises an encrypted code storing means 310g, a decryption        means 310h, a code loading means 310l, and code execution means        310f. Receiving the data K′ from the de-randomizing means 123,        the decryption means 310h decrypts the content stored in the        encrypted code storing means 310g. In the process of decryption,        K′ is used as a decryption key. The code loading means 310l        loads the output of the decryption means 310h, which is        decrypted code if K′ is identical with K, onto a specified area        within the program region, and then orders the execution means        310f to execute the loaded code.

Third Embodiment

In a third embodiment, the definition of an access ticket is given asthe relation (16).t=D+F(n, e)   (16)The following bulleted paragraphs illustrate the symbols appearing inthe relation (16).

-   -   An integer n is an RSA modulus, hence, a product of two very        large prime numbers p and q (n=pq).    -   φ(n) denotes the Euler number of n, hence, a product of two        integers p−1 and q−1 (φ(n)=(p−1)(q−1)).    -   A user identifying information e is an integer allocated to each        user. The user identifying information e is unique to each user:        a different user identifying information is allocated to a        different user.    -   An access-ticket secret key D is the private key of an RSA        public key pair. Since the assumed modulus is n, D satisfies the        relation (17).        gcd(D, φ(n))=1   (17)        -   In the above, gcd(x, y) denotes the greatest common divisor            of two integers x arid y. The existence of an integer E            satisfying the relation (18), which is called an            access-ticket public key, is derived form the relation 17.            ED mod φ(n)=1   (18)    -   A two variable function F(x, y) is an arbitrary collision-free        function. Practically, a collision-free function may be        constructed using a one-way hash function h as the relation        (19).        F(x, y)=h(x|y)   (19)

FIGS. 15 and 16 are for depicting this embodiment: FIG. 15 depicts theconstitution of the devices of this embodiment; FIG. 16 depicts flow ofdata. In FIG. 15, a proving device 11 comprises a challenging datastoring means 111, a first calculation means 112, an access ticketstoring means 113, a second calculation means 114, a user identifyinginformation storing means 115, a response generation means 116, and anexponent generation means 130. A verification device 10 in thisembodiment may be identical with that in any of the first embodiment(shown in FIG. 3) or the second embodiment (shown in FIG. 5).

By the following numbered paragraphs, the function of the meansconstituting the devices will be described step by step.

-   -   1. The verification device 10 is invoked by a user.    -   2. The verification device 10 sends challenging data C and a        modulus n to the challenging data storing means 111 of the        proving device 11. The modulus n is stored in the access ticket        public key storing means 101, and the challenging data C is        generated in one of the manners defined in the first embodiment        or the second embodiment: C is identical with either r^(E) mod n        or r^(E)C′ mod n.    -   3. The first calculation means 112 of the proving device 11        calculates an intermediate result R′ according to the relation        (20). An access ticket t to be used is stored in the access        ticket storing means 113.        R′=C^(t) mod n   (20)    -   4. The exponent generation means 130 calculates F(n, e) by        applying the collision-free function F to the modulus n, stored        in the challenging data storing means 111, and the user        identifying information e, stored in the user identifying        information storing means 115.        F(n, e)   (21)    -   5. Receiving the result from the exponent generation means 130,        the second calculation means 114 of the proving device 11        calculates a differential S according to the relation (22).        S=C^(F(n, e)) mod n   (22)    -   6. Receiving R′ and S from the first calculation means 112 and        the second calculation means 114, the response generation means        116 of the proving device calculates a response R according to        the relation (23).        R=R′S⁻¹ mod n   (23)        -   In the relation (23), S⁻¹ denotes the reciprocal of S under            the modulus n. Hence, S and S⁻¹ satisfy the relation (24).            SS⁻¹ mod n=1   (1)    -   7. The proving device 11 returns the generated response R to the        response storing means 105 of the verification device 10.    -   8. The verification device 10 examines the response received        from the proving device 11.

Fourth Embodiment

In a fourth embodiment, a proving device 11 comprises a computer programexecuted on a user's PC or workstation, a smart card or PC card (PCMCIAcard) attachable to the user's PC or workstation, and a program executedon this smart card or PC card.

As is obvious from the explanation of the former three embodiments, auser identifying information e, stored in a user identifying informationstoring means 115, must be kept secret to others. Furthermore, observingprocess of execution of a second calculation means 114, which needs e asan input to itself, may lead to leak of e. The same situation applies toan exponent generation means 130. Consequently, in practical use, theuser identifying information storing means 115, the second calculationmeans 114 and the exponent generation means 130 should be protected bysome means against attempts to pry out some crucial secret out of them.

One solution is confining the crucial part of the proving device 11within hardware equipped with function to prevent its inside from beingobserved or tampered with by unauthorized means. Generally, suchhardware is called tamper-resistant hardware.

In creating the tamper-resistant hardware, it is possible to use thetechnology disclosed in Japanese Laid-open Patent Publication 5-75135,Japanese Laid-open Patent Publication 5-68727 or Japanese Laid-OpenPatent Publication 3-100753, for example. In Japanese Laid-open PatentPublication 5-75135, an enclosure composed of a plurality of cardshaving multi-layered conductive patterns is provided surrounding aninformation memory medium. Memory information is destroyed when theconductive pattern which is detected differs from an expected pattern.

In Japanese Laid-Open Patent Publication 5-68727, a detection circuitcomposed of an integration circuit or the like is provided surroundingan information memory medium in addition to a conductive winding beingformed, and through this, when there is infiltration to the electroniccircuit region, fluctuations in electromagnetic energy are detected andmemory information is destroyed.

In Japanese Laid-Open Patent Publication 3-100753, an optical detectoris provided within hardware, and the optical detector detects externallight which enters when a force is applied which destroys the hardwareor punctures the hardware, and a memory destruction device resets memoryinformation.

Further, choosing tamper-resistant hardware with portability such as asmart card or PC card may provide users with additional merits. Amonginformation dealt with by a proving device 11, only an access ticket anda user identifying information are unique to an individual user. Hence,for example, it may be useful to confine a user identifying informationstoring means 115, access ticket storing means 113, a second calculationmeans 114 and exponent generation means 130 within a smart card or PCcard, and implement the rest of the proving device 10 as a program to beexecuted on an arbitrary PC or workstation: a user can use an arbitraryPC or workstation, assuming that the program is installed on it, ashis/her proving device only by inserting his/her own smart card or PCcard into the computer.

FIG. 17 depicts constitution of a proving device 11 of the first andsecond embodiments when a user identifying information storing means 115and a second calculation means 115 are confined within a smart card.

FIG. 18 depicts constitution of a proving device 11 of the thirdembodiment when a exponent generation means 130 in addition to a useridentifying information storing means 115 and a second calculation means115 is confined within a smart card.

For both FIGS. 17 and 18, a card-side I/F means 141 within a smart cardis an interface to a host computer for communication between a hostcomputer and the smart card. More practically, the card-side I/F means141 comprises buffer memory and a communication program.

A host-side I/F means 140, which is a part of a host computer, is thecounter part of the card-side I/F means 141. Both I/F means, cooperatingwith each other, transfer messages from the host computer to the smartcard, and vice versa.

The following numbered paragraphs describe the function of the meansconstituting the devices.

-   -   1. The verification device 10 is invoked by a user.    -   2. The verification device 10 sends challenging data C and a        modulus n stored in the access ticket public key storing means        101 to the challenging data storing means 111 of the proving        device 11.    -   3. The host-side I/F means 140 of the proving device 10 sends        the challenging data C and the modulus n to the card-side I/F        means 141 within the smart card.    -   4. The access ticket searching means 142 retrieves an access        ticket t corresponding to the modulus n that is stored in the        challenging data storing means 111. As shown before, in any of        the former three embodiments, the definition of an access ticket        t involves a modulus n (t=D−e+ωφ(n) or t=D+F(n, e)). In the        access ticket storing means 113, zero or more access ticket are        stored, and each access ticket is indexed with the modulus that        was used in generating the access ticket.    -   5. The first calculation means 112 of the proving device 11        calculates an intermediate result R′ according to the relation        (25). An access ticket t is stored in the access ticket storing        means 113.        R′=C^(t) mod n   (25)    -   6. The host-side I/F means 140 issues a requirement for a        differential S to the card-side I/F means 141. A response which        the host-side I/F means 140 receives is a differential S of one        of the following forms: if the access ticket t and the means        within the smart card were implemented in the manner of the        first and second embodiments, the differential S satisfies the        relation (26); if the access ticket t and the means within the        smart card were implemented in the manner of the third        embodiment, the differential S satisfies the relation (27).        S=C^(e) mod n   (26)        S=C^(F(n, e)) mod n   (27)    -   7. The response generation means 116 of the proving device 11        calculates a response R according to either the relation (28) or        (29): if the access ticket t and the means within the smart card        were implemented in the manner of the first and second        embodiments, the relation (28) shall be applied; if the access        ticket t and the means within the smart card were implemented in        the manner of the third embodiment, the relation (29) shall be        applied.        R=R′S mod n   (28)        R=R′S⁻¹ mod n   (29)    -   8. The proving device 11 returns the generated response R to the        response storing means 307 of the verification device 10.

In this embodiment, it is possible to calculate the intermediate resultR′ and the differential S concurrently, because the former is calculatedwithin the host computer and the latter is within the smart card.Obviously, this concurrent calculation reduces the total time which theproving device 11 needs for calculating a response to a receivedchallenging data.

Further, in this embodiment, the access ticket storing means 113 mayretain more than one access tickets, and the access ticket searchingmeans 142 retrieves an appropriate access ticket using a modulus issuedby the verification device 10 as a key for retrieval. Basically,different verification device, which may be embedded within a differentapplication program or server program, should assume a differentmodulus. Therefore, a user who want to access to more than oneapplication programs or server programs is obliged to have a number ofaccess tickets.

The stated function of the access ticket searching means 142 wouldrelease a user from paraphernalia of selecting a correct access ticketby himself.

Fifth Embodiment

In a fifth embodiment, the Pohlig-Hellman asymmetric key cryptography isused instead of the RSA public key cryptography.

In this embodiment, the definition of an access ticket t is given as therelation (30).t=D+F(p, e)   (30)

The following bulleted paragraphs illustrate the symbols appearing inthe relation (30).

-   -   An integer p is a very large prime number.    -   A user identifying information e is an integer allocated to each        user. The user identifying information e is unique to an        individual user: a different user identifying information is        allocated to a different user.    -   An access ticket secret key D is one component of a        Pohlig-Hellman asymmetric key pair. Since the assumed modulus is        p, D satisfies the elation (31).        gcd(D, p−1)=1   (31)        -   In the above, gcd(x, y) denotes the greatest common divisor            of two integers x and y. The existence of an integer E            satisfying the relation (32), which is called an            access-ticket public key, is derived from the relation (31).            ED mod p−1=1   (1)    -   A two variable function F(x, y) is an arbitrary collision-free        function. Practically, a collision-free function may be        constructed using a one-way hash function h as the relation        (33).        F(x, y)=h(x|y)   (33)

FIGS. 20 and 21 are for depicting this embodiment: FIG. 20 depicts theconstitution of the devices of this embodiment; FIG. 21 depicts flow ofdata. In FIG. 20, a proving device 41 comprises the following means: achallenging data storing means 411; a first calculation means 412; anaccess ticket storing means 413; a second calculation means 414; a useridentifying information storing means 415; a response generation means416; and an exponent generation means 430. On the other hand, averification device 40 comprises the following means: a key storingmeans 401; a random number generation means 402; a random number storingmeans 403; a response storing means 405; a randomizing means 421; achallenging seed storing means 422; a de-randomizing means 423; and anexecution means 310.

By the following numbered paragraphs, the function of the meansconstituting the devices will be described step by step.

-   -   1. The verification device 40 is invoked by a user.    -   2. The verification device 40 sends challenging data C and a        modulus p to the challenging data storing means 411 of the        proving device 41. The modulus p is stored in the key storing        means 401. In this embodiment, the challenging data C is assumed        to be generated in a manner similar to that in the second        embodiment. However, it is easy to construct another embodiment        such that challenging data C is generated in a manner similar to        that in the first embodiment. The challenging data C in this        embodiment is generated by carrying out the following steps: the        random number generating means 402 generates a random integer r        so that r and the modulus p are relatively prime (gcd(r, p)=1);        the random integer r is stored in the random number storing        means 403; and the randomizing means 121 generates challenging        data C according to the relation (34).        C=r^(E)C′ mod p   (34)        -   The integer C′ is stored in the challenge seed storing means            422, and satisfies the relation (35) for some data K.            C′=K^(E) mod p   (35)        -   The exponent E (access ticket public key) and the modulus p            are both stored in the key storing means 401.    -   3. The first calculation means 412 of the proving device 41        calculates an intermediate result R′ according to the relation        36. An access ticket t to be used is stored in the access ticket        storing means 113.        R′=C^(t) mod p   (36)    -   4. The exponent generation means 430 calculates F(p, e) by        applying the collision-free function F to the modulus p, stored        in the challenging data storing means 111, and the user        identifying information e, stored in the user identifying        information storing means 415.        F(p, e)   (37)    -   5. Receiving the result from the exponent generation means 430,        the second calculation means 414 of the proving device 41        calculates a differential S according to the relation (38).        S=C^(F(p, e)) mod p   (38)    -   6. Receiving R′ and S from the first calculation means 412 and        the second calculation means 414, the response generation means        416 of the proving device 41 calculates a response R according        to the relation (39).        R=R′S⁻¹ mod p   (39)        -   In the relation (39), S⁻¹ denotes the reciprocal of S under            the modulus p. Hence, S and S⁻¹ satisfy the relation (40).            SS⁻¹ mod p=1   (40)    -   7. The proving device 41 returns the generated response R to the        response storing means 405 of the verification device 40.    -   8. The de-randomizing means 423 of the verification device 40        calculates K′ according to the relation (41).        K′=r⁻¹R mod p   (41)        -   In course of calculation, the means uses the random number r            stored in the random number storing means 403 and the            response R stored in the response storing means 405.

Sixth Embodiment

A sixth embodiment is substantially similar to the third embodimentexcept that the ElGamal public key cryptography is used this timeinstead of the RSA public key cryptography.

In this embodiment, the definition of an access ticket t is given as therelation (42).t=X+F(p, e)   (42)

The following bulleted paragraphs illustrate the symbols appearing inthe relation (42).

-   -   An integer p is a very large prime number.    -   A user identifying information e is an integer allocated to each        user. The user identifying information is unique to an        individual user: a different user identifying information is        allocated to a different user.    -   Let (X, Y) be an arbitrary ElGamal asymmetric key pair assuming        p is the modulus. Therefore the relation (43) is satisfied.        Y=G^(X) mod p   (43)        -   In the relation (43), G denotes an integer representing a            generator of the multiplicative group of the finite field of            order p. Equivalently, G satisfies the relations (44) and            (45).            G>0   (44)            min {x>0|G^(X)=1 mod p}=p−1   (45)        -   X is called an access ticket secret key, while Y is called            an access ticket public key.    -   A two variable function F(x, y) is an arbitrary collision-free        function. Practically, a collision-free function may be        constructed using a one-way hash function h as the relation        (46).        F(x, y)=h(x|y)  (46)

FIGS. 22 and 23 are for depicting this embodiment: FIG. 22 depicts theconstitution of the devices; of this embodiment; FIG. 23 depicts flow ofdata. In FIG. 22, a proving device 51 comprises the following means: achallenging data storing means 511; a first calculation means 512; anaccess ticket storing means 513; a second calculation means 514; a useridentifying information storing means 515; a response generation means516; and an exponent generation means 530. On the other hand, averification device 50 comprises the following means: an access ticketpublic key storing means 501; a random number generation means 502; arandom number storing means 503; a response storing means 505; arandomizing means 521; a challenge seed storing means 522; ade-randomizing means 523; and an execution means 310.

By the following numbered paragraphs, the function of the meansconstituting the devices will be described step by step.

-   -   1. The verification device 50 is invoked by a user.    -   2. The verification device 50 sends a pair (u, C) of challenging        data and a modulus p to the challenging data storing means 511        of the proving device 51. The modulus p is stored in the access        ticket public key storing means 501. On the other hand, the        challenging data u and C is generated as follows. The first        component u is stored in the challenge seed storing means 522,        and satisfies the relation (47) for some secret random number z.        u=G^(z) mod p   (47)        -   In the challenge seed storing means 522, one more seed C′ is            stored. C′ satisfies the relation (48) for some crucial data            K.            C′=Y^(z)K mod p   (48)        -   Using this C′ as a seed, the other component C is generated            as follows. The random number generating means 502 generates            a random integer r so that r and the modulus p are            relatively prime (gcd(r, p)=1); the random integer r is            stored in the random number storing means 503; the            randomizing means 521 generates challenging data C according            to the relation (49).            C=rC′ mod p   (49)    -   3. The first calculation means 512 of the proving device 51        calculates an intermediate result S according to the relation        (50). An access ticket t to be used is stored in the access        ticket storing means 513.        S=u^(t) mod p   (50)    -   4. The exponent generation means 530 calculates F(p, e) by        applying the collision-free function F to the modulus p, stored        in the challenging data storing means 511, and the user        identifying information e, stored in the user identifying        information storing means 515.        F(p, e)   (51)    -   5. Receiving the result from the exponent generation means 530,        the second calculation means 514 of the proving device 51        calculates a differential S′ according to the relation (52).        S′=u^(F(p, e)) mod p   (52)    -   6. Receiving S and S′ from the first calculation means 512 and        the second calculation means 514, the response generation means        516 of the proving device 51 calculates a response R according        to the relation (53).        R=S⁻¹S′C mod p   (53)        -   In the relation (53), S⁻¹ denotes the reciprocal of S over            the modulus p. Hence, S and S⁻¹ satisfy the relation (54).            SS⁻¹ mod p=1   (54)    -   7. The proving device 51 returns the generated response R to the        response storing means 505 of the verification device 50.    -   8. The de-randomizing means 523 of the verification device 50        calculates K′ according to the relation (55).        K′=r⁻¹R mod p   (55)        -   In course of calculation, the means uses the random number r            stored in the random number storing means 503 and the            response R stored in the response storing means 505.

The straightforward implementation of the above constitution wouldinvolve the following problem: use of a common pair of seeds forchallenging data (u, C′) for more than one occurrences of authenticationallows an attacker to construct a device which emulates the provingdevice 11 without the user identifying information or the access ticket.To construct such an emulator, H=RC⁻¹ mod p is recorded first where C isthe challenging data at the first occurrence of authentication and R isthe response to C calculated by the proving device 11. The emulatorretains this H instead of the user identifying information e and theaccess ticket t, and on arbitrary input (u, C) issued by theverification device 10, returns to a response R calculated according tothe relation R=HC mod p. Thus, the verification device 10 should havepair of seeds (u′, C′) as many as necessary, and should use distinctpair for distinct occurrence of authentication (Note that k for u=G^(z)mod p is a random number).

Seventh Embodiment

A seventh embodiment exploits the ElGamal signature rather than the RSApublic key cryptography in the first three embodiments or the ElGamalpublic key cryptography in the sixth embodiment.

In this embodiment, the definition of an access ticket t is given as therelation (56).t=X+F(p, e)   (56)

The following bulleted paragraphs illustrate the symbols appearing inthe relation (56).

-   -   An integer p is a very large prime number.    -   A user identifying information e is an integer allocated to each        user. The user identifying information e is unique to an        individual user: a different user identifying information is        allocated to a different user.    -   Let (X, Y) be an arbitrary ElGamal asymmetric key pair assuming        p is the modulus. Therefore the relation (57) is satisfied.        Y=G^(X) mod p   (57)        -   In the relation (57), G denotes an integer representing a            generator of the multiplicative group of the finite field of            order p. Equivalently, an integer G satisfies the            relations (58) and (59).            G>0   (58)            min {x>0|G^(X)=1 mod p}=p−1   (59)        -   X is called an access ticket secret key, while Y is called            an access ticket public key.    -   A two variable function F(x, y) is an arbitrary collision-free        function. Practically, a collision-free function may be        constructed using a one-way hash function h as the relation (60)        shows.        F(x, y)=h(x|y)   (60)

FIGS. 24 and 25 are for depicting this embodiment: FIG. 24 depicts theconstitution of the devices of this embodiment; FIG. 25 depicts flow ofdata. In FIG. 24, a proving device 61 comprises the following means: achallenging data storing means 611; a random number generation means612; a first calculation means 613; a second calculation means 614; anaccess ticket storing means 615; and a user identifying informationstoring means 616. On the other hand, verification device 60 comprisesthe following means: an access ticket public key storing means 601; arandom number generation means 602; a random number storing means 603; aresponse storing means 605; a verification means 606; a execution means607; and an error trapping means 608.

By the following numbered paragraphs, the function of the meansconstituting the devices will be described step by step.

-   -   1. The verification device 60 is invoked by a user.    -   2. The verification device 60 sends challenging data C, a        modulus p and a generator G to the challenging data storing        means 611 of the proving device 61. The modulus p and the        generator G are stored in the access ticket public key storing        means 601. On the other hand, the challenging data u and C are        generated as follows: the random number generation means 602        generates a random integer r so that r and the modulus n are        relatively prime (gcd(r, n)=1); the generated random integer r        is stored in the random number storing means 603; finally, the        random number generation means 602 sets the value of C to r. As        stated later in more detail, the response which the proving        device 61 is to respond to the verification device 60 is        ElGamal-signature of r with X as the signature key and p as the        modulus.    -   3. The random number generation means 612 of the proving device        61 generates a random integer k so that k and p are relatively        prime (gcd(k, p)=1). Receiving the random integer k from the        random number generation means 612 and the modulus p and the        generator G from the challenging data storing means 611, the        first calculation means 613 calculates a first component R of a        response according to the relation (61).        R=G^(k) mod p   (61)        -   Concurrently, the second calculation means 614 calculates a            second component S of a response according to the relation            (62).            S=(C−R(t−F(p, e)))k⁻¹ mod p−1   (62)        -   The access ticket t is stored in the access ticket storing            means 615, and the modulus p and the challenging data C are            stored in the challenging data storing means 611.    -   4. The proving device 61 returns the generated response R to the        response storing means 605 of the verification device 60.    -   5. The verification means 606 of the verification device 60        examines the relation (63).        G^(r)=Y^(R)R^(S) mod p   (63)        The random integer r is stored in the random number storing        means 603; the response pair (R, S) is stored in the response        storing means 605; the modulus p, the access ticket public key Y        and the generator G are all stored in the access ticket public        key storing means 601.

Eighth Embodiment

An eighth embodiment provides an example of specification for ways howto generate access tickets safely.

In any case of the previous embodiments, access tickets are calculatedas output of a predefined function on input of specific secretinformation, namely user identifying information and access ticketsecret keys. Since leak of that secret information threatens the safetyof the entire scheme of authentication, a safe device may be necessaryin generating access tickets. Such a device is required to provide thefunction which absolutely prevents leakage of the secret informationcontained within it or results of calculations carried out within it.

One of the simplest ways to constitute such a safe device is toimplement services of generating and issuing access ticket to users onan isolated computer kept safe from any attempts at illegal accesses byusers: in order to protect that server computer against physicalaccesses by users, the computer should be placed in a room entry intowhich is severely controlled; further, if the server computer isnetworked with users' PCs and access tickets are issued to users onnetwork, the threat of attacks via network should be taken into account;in protecting the server computer from those network attacks, thefirewall technology (for details see “Building Internet Firewalls” by D.Brent Chapman and Elizabeth D. Zwicky, O'Reilly & Associates, Inc.) maybe useful.

As shown in the previous embodiments, an access ticket is generated sothat only the user to whom the ticket is issued can use it. Speakingmore accurately, a user may succeed in authentication procedure betweena verification device and a proving device if and only if he is able tofeed to the proving device both an access ticket and user identifyinginformation based on which the access ticket has been generated.

Moreover, access tickets stated in the previous embodiments satisfy astricter standard of safety: there is no way to forge an access ticketor to construct a device which em emulates the proving device eventhough an attacker is assumed to be able to collect an arbitrary numberof access tickets issued by legitimate access ticket issuers.

The fact that access ticket satisfies the above standard implies thataccess tickets are safe enough to be conveyed to users by relativelyinsecure means like electronic mails on Internet.

Ninth Embodiment

A ninth embodiment uses a composition method for an access ticket anduser identifying information differing from those of the previousembodiments this method is different from those of the previousembodiments in that the public information associated with useridentifying information is used instead of the user identifyinginformation itself in generating an access ticket.

Therefore, according to the method stated below, a safe access ticketissuing server stated in the eighth embodiment is not necessary: a useris allowed to generate an access ticket with a program executed on hisown PC or workstation. That program doesn't contain any secretinformation or any secret algorithm.

The identifying information of a user U is the private key d_(u) of anRSA public key pair. By (e_(u), n_(u)), the public key corresponding tothe private key d_(u) is denoted. Hence, n_(u)=p_(u)q_(u) for twodistinct large prime numbers p_(u) and q_(u), and d_(u) and e_(u) areintegers determined so as to satisfy the relations (64).1≦d_(u)<(p_(u)−1)(q_(u)−1)1≦e_(u)<(p_(u)−1)(q_(u)−1)   (64)

e_(u)d_(u)=1 mod (p_(u)−1)(q_(u)−1)

Hereafter, the condition that n_(u) is at least as large as a constant Ncommon to all users is further assumed.

An access ticket for a user U is composed as follows: the public key (E,n) of an RSA public key pair is taken to be the public key of the accessticket to be generated; the private key D which is paired with thispublic key (E, n) is taken to be the secret key of the access ticket;when the prime factorization of n is n=pq, the relations 65 isestablished; finally, the access ticket t_(u) is defined by the relation(66).1≦D<N   (65)DE=1 mod (p−1)(q−1)t_(U)=D^(e) _(U) mod n_(u)   (66)

In the above composition, the unique security characteristic informationfor authentication process is the private key D. Same as the cases inthe previous embodiments, a user succeeds in authentication proceduresif and only if he is able to prove that he has means to calculate aright response to challenging data issued to him by a verificationdevice: the calculated response is right only when it is calculatedbased on the unique security characteristic information D.

The composition method presented in this embodiment is characterized bythe property that an access ticket is encryption of the unique securitycharacteristic information D and the user identifying information is theunique decryption key to obtain D from the access ticket. In addition,since the user identifying information is the private key of an RSA keypair, anybody who is allowed to know the public key paired with theprivate key can generate an access ticket for the user at will.

Hereafter, the device composition and operation of the proving device 71are described with reference to FIG. 26.

1. A verification device 10 sends challenging data C to a challengingdata storing means 711 of a proving device 11.

2. A decryption key generation means 712 of the proving device 11acquires user identifying information d_(u) which is stored in a useridentifying information storing means 715 and an access ticket t_(u)which is stored in an access ticket storing means 713, and thencalculates D′ according to the relation (67).D′=t_(u) ^(du) mod n_(u)   (67)

3. On input of D′ calculated by the decryption key generation means 712and the challenging data C stored in the challenging data storing means711, a response generation means 714 of the proving device 71 calculatesa response R according to the relation (68). The calculated response Ris returned to the verification device 10.R=C^(D′) mod n   (68)

4. The verification device 10 verifies the legitimacy of the response R.

The access ticket secret key D in the definition of the access tickett_(u)=D^(e) _(u) mod n_(u) must be kept secret to the user U. Therefore,the user identifying information storing means 713, the decryption keygeneration means 712 and the response generation means 714 are to beincorporated in a defense means 760 which is a tamper-resistanthardware.

The same as the cases of the previous embodiments, the verificationdevice authenticates access rights of the user if and only if he has theright pair of the ticket t_(u) and the user identifying information e.

Tenth Embodiment

A tenth embodiment is substantially the same as the ninth embodiment,except that a response R is calculated using a symmetric key cipherinstead of using the RSA public key cryptography as in the ninthembodiment and an access ticket is RSA-encryption of the decryption key(same as the encryption key) D of the symmetric key cipher. As theencryption key to generate the access ticket, the public key (e_(u),n_(u)) and the RSA algorithm is used.

When the encryption function of the symmetric key encryption isexpressed as Encrypt (key, plain message: the output of this functionbeing the cipher message of the plain message which is the secondargument of the function) and the decryption function is expressed asDecrypt (key, cipher message: the output being the plain messagecorresponding to the cipher message which is the second argument of thefunction), the challenging data C is defined by relation (69).C=Encrypt (D, K)   (69)

Furthermore, the access ticket t_(u) is defined by the relation (70).t_(u)=D^(eu) mod n_(u)   (70)

Hereafter, the operation of the proving device 11 is described withreference to FIG. 26.

1. A verification device 10 sends challenging data C to a challengingdata storing means 711.

2. A decryption key generation means 712 of the proving device 11acquires user identifying information d_(u) which is stored in a useridentifying information storing means 715 and an access ticket t_(u)which is stored in an access ticket storing means 713, and thencalculates D′ according to the relation (71).D′=t_(u) ^(du) mod n_(u)   (71)

3. On input of D′ calculated by the decryption key generation means 712and the challenging data C stored in the challenging data storing means711, a response generation means 714 of the proving device 11 calculatesa response R according to the relation (72). The calculated response Ris sent back to the verification device 10.R=Decrypt (D′C)   (72)

4. The verification device 10 verifies the legitimacy of the response R.

The foregoing description of preferred embodiments of this invention hasbeen presented for purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdisclosed, and modifications and variations are possible in light of theabove teachings or may be acquired from practice of the invention. Theembodiments were chosen and described in order to explain the principlesof the invention and its practical application to enable one skilled inthe art to utilize the invention in various embodiments and with variousmodifications as are suited to the particular use contemplated. It isintended that the scope of the invention be defined by the claimsappended hereto, and their equivalents.

1. A device for authenticating user's access rights to resourcescomprising: first memory means for storing challenging data; secondmemory means for storing unique identifying information of the user;third memory means for storing proof support information which is aresult of executing predetermined computations to the user uniqueidentifying information and unique security characteristic informationof the device; response generation means for generating a response fromthe challenging data stored in the first memory means, the uniqueidentifying information of the user stored in the second memory means,and the proof support information stored in the third memory means; andverification means for verifying the legitimacy of the response byverifying that the response, the challenging data and the uniquesecurity characteristic information of the device satisfy a specificpredefined relation.
 2. The device for authenticating user's accessrights to resources of claim 1 further comprising: A device forauthenticating user's access rights to resources comprising: firstmemory means for storing challenging data; second memory means forstoring unique identifying information of the user; third memory meansfor storing proof support information which is a result of executing afirst computation using both the user unique identifying information andunique security characteristic information, wherein the unique securitycharacteristic information is one of a decryption key of a cipherfunction, an encryption key of a cipher function, and a signature key ofa digital signature function, which corresponds to the challenging data;response generation means for generating a response by executing asecond computation using the challenging data stored in the first memorymeans, the unique identifying information of the user stored in thesecond memory means, and the proof support information stored in thethird memory means; verification means for verifying the legitimacy ofthe response by verifying that the response, the challenging data andthe unique security characteristic information satisfy a specificpredefined relation; and protect means for preventing any data insidestored information from being observed or being tampered with from theoutside, and for at least confining storing the second memory means andthe response generation means.
 3. The A device for authenticating user'saccess rights to resources of claim 1, wherein comprising: first memorymeans for storing challenging data; second memory means for storingunique identifying information of the user; third memory means forstoring proof support information which is a result of executing a firstcomputation using both the user unique identifying information andunique security characteristic information, wherein the unique securitycharacteristic information is one of a decryption key of a cipherfunction, an encryption key of a cipher function, and a signature key ofa digital signature function, which corresponds to the challenging data;response generation means for generating a response by executing asecond computation using the challenging data stored in the first memorymeans, the unique identifying information of the user stored in thesecond memory means, and the proof support information stored in thethird memory means; and verification means for verifying the legitimacyof the response by verifying that the response, the challenging data andthe unique security characteristic information satisfy a specificpredefined relation; wherein at least the second memory means and theresponse generation means are implemented within a small portable devicesuch as a smart card.
 4. The A device for authenticating user's accessrights to resources of claim 1, wherein comprising: first memory meansfor storing challenging data; second memory means for storing uniqueidentifying information of the user; third memory means for storingproof support information which is a result of executing a firstcomputation using both the user unique identifying information andunique security characteristic information, wherein the unique securitycharacteristic information is one of a decryption key of a cipherfunction, an encryption key of a cipher function, and a signature key ofa digital signature function, which corresponds to the challenging data;response generation means for generating a response by executing asecond computation using the challenging data stored in the first memorymeans, the unique identifying information of the user stored in thesecond memory means, and the proof support information stored in thethird memory means; and verification means for verifying the legitimacyof the response by verifying that the response, the challenging data andthe unique security characteristic information satisfy a specificpredefined relation; wherein the response generation means comprises:first calculation means for replaying the unique security characteristicinformation of the device by executing predetermined calculations to theunique identifying information of the user stored in the second memorymeans and the proof support information stored in the third memorymeans; and second calculation means for generating a response byexecuting predetermined calculations to the challenging data stored inthe first memory means and the unique security characteristicinformation of the device replayed by the first calculation means. 5.The A device for authenticating user's access rights to resources ofclaim 1, wherein comprising: first memory means for storing challengingdata; second memory means for storing unique identifying information ofthe user; third memory means for storing proof support information whichis a result of executing a first computation using both the user uniqueidentifying information and unique security characteristic information,wherein the unique security characteristic information is one of adecryption key of a cipher function, an encryption key of a cipherfunction, and a signature key of a digital signature function, whichcorresponds to the challenging data; response generation means forgenerating a response by executing a second computation using thechallenging data stored in the first memory means, the uniqueidentifying information of the user stored in the second memory means,and the proof support information stored in the third memory means; andverification means for verifying the legitimacy of the response byverifying that the response, the challenging data and the uniquesecurity characteristic information satisfy a specific predefinedrelation; wherein the response generation means comprises: thirdcalculation means for generating first intermediate information byexecuting predetermined calculations to the challenging data stored inthe first memory means and the proof support information stored in thethird memory means; fourth calculation means for generating secondintermediate information by executing predetermined calculations to thechallenging data stored in the first memory means and the user uniqueidentifying information stored in the second memory means; and fifthcalculation means for generating a response by executing predeterminedcalculations to the first intermediate information generated by thethird calculation means and the second intermediate informationgenerated by the fourth calculation means.
 6. The device forauthenticating user's access rights to resources of claim 5, furthercomprising: protect means for preventing any data inside from beingobserved or being tampered with from the outside, at least confining thesecond memory means and the fourth calculation means.
 7. The device forauthenticating user's access rights to resources of claim 5, wherein atleast the second memory means and the fourth calculation means areimplemented within a portable device such as a smart card.
 8. The Adevice for authenticating user's access rights to resources of claim 1,wherein comprising: first memory means for storing challenging data;second memory means for storing unique identifying information of theuser; third memory means for storing proof support information which isa result of executing a first computation using both the user uniqueidentifying information and unique security characteristic information,wherein the unique security characteristic information is one of adecryption key of a cipher function, an encryption key of a cipherfunction, and a signature key of a digital signature function, whichcorresponds to the challenging data; response generation means forgenerating a response by executing a second computation using thechallenging data stored in the first memory means, the uniqueidentifying information of the user stored in the second memory means,and the proof support information stored in the third memory means; andverification means for verifying the legitimacy of the response byverifying that the response, the challenging data and the uniquesecurity characteristic information of the device is a decryption key ofa cipher function, satisfy a specific predetermined relation; whereinthe challenging data is encryption of information using the cipherfunction with the encryption key corresponding to the decryption key,and the verification means verifies the legitimacy of the response byverifying that the response generated by the response generation meansis identical with decryption of the challenging data with the decryptionkey.
 9. The A device for authenticating user's access rights toresources of claim 1, wherein comprising: first memory means for storingchallenging data; second memory means for storing unique identifyinginformation of the user; third memory means for storing proof supportinformation which is a result of executing a first computation usingboth the user unique identifying information and unique securitycharacteristic information, wherein the unique security characteristicinformation is one of a decryption key of a cipher function, anencryption key of a cipher function, and a signature key of a digitalsignature function, which corresponds to the challenging data; responsegeneration means for generating a response by executing a secondcomputation using the challenging data stored in the first memory means,the unique identifying information of the user stored in the secondmemory means, and the proof support information stored in the thirdmemory means; and verification means for verifying the legitimacy of theresponse by verifying that the response, the challenging data and theunique security characteristic information of the device is anencryption key of a cipher function, and satisfy a specific predefinedrelation; wherein the verification means verifies the legitimacy of theresponse by verifying that the response generated by the responsegeneration means is identical with encryption of the challenging datawith the encryption key.
 10. The A device for authenticating user'saccess rights to resources of claim 1, wherein comprising: thecharacteristic information of the device is the signature key of adigital signature function, and first memory means for storingchallenging data; second memory means for storing unique identifyinginformation of the user; third memory means for storing proof supportinformation which is a result of executing a first computation usingboth the user unique identifying information and unique securitycharacteristic information, wherein the unique security characteristicinformation is one of a decryption key of a cipher function, anencryption key of a cipher function, and a signature key of a digitalsignature function, which corresponds to the challenging data; responsegeneration means for generating a response by executing a secondcomputation using the challenging data stored in the first memory means,the unique identifying information of the user stored in the secondmemory means, and the proof support information stored in the thirdmemory means; and verification means for verifying the legitimacy of theresponse by verifying that the response, the challenging data and theunique security characteristic information satisfy a specific predefinedrelation; wherein the verification means verifies the legitimacy of theresponse by verifying that the response generated by the responsegeneration means is identical with the digital signature for thechallenging data, which is calculated with the signature key.
 11. Thedevice for authenticating user's access rights to resources of claim 8,wherein the cipher function is of the asymmetric key cryptography, andthe unique security characteristic information of the device is onecomponent of the key pair of the cipher function.
 12. The device forauthenticating user's access rights to resources of claim 9, wherein thecipher function is of the asymmetric key cryptography, and the uniquesecurity characteristic information of the device is one component ofthe key pair of the cipher function.
 13. The device for authenticatinguser's access rights to resources of claim 11, wherein the cipherfunction is of the public key cryptography, and the unique securitycharacteristic information of the device is the private key of thepublic key pair of the cipher function.
 14. The device forauthenticating user's access rights to resources of claim 12, whereinthe cipher function is of the public key cryptography, and the uniquesecurity characteristic information of the device is the private key ofthe public key pair of the cipher function.
 15. The device forauthenticating user's access rights to resources of claim 8, wherein thecipher function is of the symmetric key cryptography, and the uniquesecurity characteristic information of the device is the common key ofthe cipher function.
 16. The device for authenticating user's accessrights to resources of claim 9, wherein the cipher function is of thesymmetric key cryptography, and the unique security characteristicinformation of the device is the common key of the cipher function. 17.The A device for authenticating user's access rights to resources ofclaim 1, further comprising: first memory means for storing challengingdata; second memory means for storing unique identifying information ofthe user; third memory means for storing proof support information whichis a result of executing a first computation using both the user uniqueidentifying information and unique security characteristic information,wherein the unique security characteristic information is one of adecryption key of a cipher function, an encryption key of a cipherfunction, and a signature key of a digital signature function, whichcorresponds to the challenging data; response generation means forgenerating a response by executing a second computation using thechallenging data stored in the first memory means, the uniqueidentifying information of the user stored in the second memory means,and the proof support information stored in the third memory means;verification means for verifying legitimacy of the response by verifyingthat the response, the challenging data and the unique securitycharacteristic information satisfy a specific predefined relation; aproving device having the first memory means, the second memory means,the third memory means and the response generation means; and averification device having fourth memory means for storing thechallenging data, fifth memory means for storing the response and theverification means, wherein the verification device transfers thechallenging data stored in the fourth memory means to the first memorymeans of the proving device, the proving device transfers the responsegenerated by the response generation means to the fifth memory means ofthe verification device, and the verification means of the verificationdevice verifies the legitimacy of the response stored in the fifthmemory means.
 18. The device for authenticating user's access rights toresources of claim 17, wherein the unique security characteristicinformation of the device is an encryption key of a cipher function, theverification device comprises random number generation means forgenerating a random number and for storing it in the fourth memorymeans, and the verification means verifies the legitimacy of theresponse by verifying that the response stored in the fifth memory meansis identical with encryption of the challenging data stored in thefourth memory means with the encryption key.
 19. The device forauthenticating user's access rights to resources of claim 17, whereinthe unique security characteristic information of the device is adecryption key of a cipher function, the verification device comprisesrandom number generation means for generating a random number, sixthmemory means for storing the generated random number and seventh memorymeans for storing a seed for challenging data, and wherein the randomnumber generation means stores the generated random number in the sixthmemory means while randomizing the seed for the challenging data storedin the seventh memory means by executing predefined calculations to therandom number stored in the sixth memory means and the seed stored inthe seventh memory means and then storing the randomized seed aschallenging data in the fourth memory means, and the verification meansof the verification device de-randomizes the response stored in thefifth memory means by executing predefined calculations to the randomnumber stored in the sixth memory means and the response stored in thefifth memory means, and then verifies the legitimacy of thede-randomized response by verifying that the de-randomized result isidentical with decryption of the seed stored in the seventh memory meanswith the decryption key which is the unique security characteristicinformation of the device.
 20. The device for authenticating user'saccess rights to resources of claim 17, wherein the unique securitycharacteristic information of the device is the signature key of adigital signature function, and the verification device comprises randomnumber generation means for generating a random number and storing thegenerated random number as challenging data in the fourth memory means,and wherein the verification means of the verification device verifiesthe legitimacy of the response by verifying that the response stored inthe fifth memory means is identical with the digital signature for thechallenging data stored in the fourth memory means, which is calculatedwith the signature key which is the unique security characteristicinformation of the device.
 21. The device for authenticating user'saccess rights to resources of claim 18, wherein the unique securitycharacteristic information of the device is the private key D of an RSApublic key pair with a modulus n, and the verification means verifiesthe legitimacy of the response by verifying that the E-th power of theresponse R stored in the fifth memory means, where E denotes the publickey associated with the private key D, is congruent with the challengingdata C stored in the fourth memory means modulo n (R^(E) mod n=C mod n).22. The device for authenticating user's access rights to resources ofclaim 19, wherein the unique security characteristic information of thedevice is the private key D of an RSA public key pair with a modulus n,a seed C′ for challenging data stored in the seventh memory means is anRSA-encryption of data K with the public key E of the RSA public keypair (DE modφ(n)=1, C′=K^(E) mod n), a random number r generated by therandom number generation means is stored in the sixth memory means,challenging data C generated and stored in the fourth memory meanssatisfies the relation C=r^(E)C′ mod n, and the verification meansverifies the legitimacy of the response R stored in the fifth memorymeans by verifying that the quotient of R divided by r modulo n iscongruent with the data K modulo n (K mod n=r⁻¹ R mod n).
 23. The devicefor authenticating user's access rights to resources of claim 21,wherein a proof support information t stored in the third memory meanssatisfies the relation t=D−e+wφ(n), where e denotes user uniqueidentifying information stored in the second memory means, w denotes aconflict-free random number determined dependent upon both n and e and φ(n) denotes the Euler number of n, and the response generated byresponse generation means is identical with the D-th power ofchallenging data C stored in the first memory means modulo n (R=C^(D)mod n).
 24. The device for authenticating user's access rights toresources of claim 22, wherein a proof support information t stored inthe third memory means satisfies the relation t=D−e+wφ(n), where edenotes user unique identifying information stored in the second memorymeans, w denotes a conflict-free random number determined dependent uponboth n and e and φ (n) denotes the Euler number of n, and the responsegenerated by response generation means is identical with the D-th powerof challenging data C stored in the first memory means modulo n (R=C^(D)mod n).
 25. The device for authenticating user's access rights toresources of claim 23, wherein the response generation means furthercomprises: third calculation means for calculating the t-th power ofchallenging data C stored in the first memory means modulo n (C^(t) modn), where t denotes proof support information stored in the third memorymeans; fourth calculation means for calculating the e-th power of thechallenging data C modulo n (C^(e) mod n), where e denotes user uniqueidentifying information stored in the second memory means; and fifthcalculation means for calculating a response R by multiplying the resultcalculated by the third calculation means by the result calculated bythe fourth calculation means modulo n (R=C^(t)C^(e) mod n).
 26. Thedevice for authenticating user's access rights to resources of claim 24,wherein the response generation means further comprises: thirdcalculation means for calculating the t-th power of challenging data Cstored in the first memory means modulo n (C^(t) mod n), where t denotesproof support information stored in the third memory means; fourthcalculation means for calculating the e-th power of the challenging dataC modulo n (C^(e) mod n), where e denotes user unique identifyinginformation stored in the second memory means; and fifth calculationmeans for calculating a response R by multiplying the result calculatedby the third calculation means by the result calculated by the fourthcalculation means modulo n (R=C^(t)C^(e) mod n).
 27. The device forauthenticating user's access rights to resources of claim 25, furthercomprising: protect means for preventing any data inside from beingobserved or being tampered with from the outside, confining the secondmemory means and the fourth calculation means.
 28. The device forauthenticating user's access rights to resources of claim 26, furthercomprising: protect means for preventing any data inside from beingobserved or being tampered with from the outside, confining the secondmemory means and the fourth calculation means.
 29. The device forauthenticating user's access rights to resources of claim 21, whereinproof support information t stored in the third memory means satisfiesthe relation t=D+F(n, e), where e denotes user unique identifyinginformation stored in the second memory means, and F(x, y) denotes atwo-variable collision-free function, and a response generated by theresponse generation means is identical with the D-th power ofchallenging data C stored in the first memory means modulo n (R=C^(D)mod n).
 30. The device for authenticating user's access rights toresources of claim 22, wherein proof support information t stored in thethird memory means satisfies the relation t=D+F(n, e), where e denotesthe user unique identifying information stored in the second memorymeans, and F(x, y) denotes a two-variable collision-free function, and aresponse generated by the response generation means is identical withthe D-th power of challenging data C stored in the first memory meansmodulo n (R=C^(D) mod n).
 31. The device for authenticating user'saccess rights to resources of claim 29, wherein the response generationmeans further comprises: third calculation means for calculating thet-th power of challenging data C stored in the first memory means modulon, where t denotes the proof support information stored in the thirdmemory means (C^(t) mod n); fourth calculation means for calculating theF(n, e)-th power of the challenging data C modulo n (C^(F(n, e)) mod n),where e denotes the user unique identifying information stored in thesecond memory means and F(x, y) denotes a two-variable collision-freefunction; and fifth calculation means for calculating a response R bydividing the result calculated by the third calculation means by theresult calculated by the fourth calculation means modulo n (R=C^(t)C^(−F(n, e)) mod n).
 32. The device for authenticating user's accessrights to resources of claim 30, wherein the response generation meansfurther comprises: third calculation means for calculating the t-thpower of challenging data C stored in the first memory means modulo n,where t denotes proof support information stored in the third memorymeans (C^(t) mod n); fourth calculation means for calculating the F(n,e)-th power of the challenging data C modulo n (C^(F(n, e)) mod n),where e denotes user unique identifying information stored in the secondmemory means and F(x, y) denotes a two-variable collision-free function;and fifth calculation means for calculating a response R by dividing theresult calculated by the third calculation means by the resultcalculated by the fourth calculation means modulo n (R=C^(t)C^(−F(n, e)) mod n).
 33. The device for authenticating user's accessrights to resources of claim 31, further comprising: protect means forpreventing any data inside from being observed or being tampered withfrom the outside, confining the second memory means and the fourthcalculation means.
 34. The device for authenticating user's accessrights to resources of claim 32, further comprising: protect means forpreventing any data inside from being observed or being tampered withfrom the outside, confining the second memory means and the fourthcalculation means.
 35. The device for authenticating user's accessrights to resources of claim 18, wherein the unique securitycharacteristic information of the device is a key D of a Pohlig-Heilmankey pair of a modulus p, and the verification means verifies thelegitimacy of the response by verifying that the E-th power of theresponse R stored in the fifth memory means, where E denotes thecounterpart key of the key D (DE mod (p−1)=1), is congruent with thechallenging data C stored in the fourth memory means modulo p (R^(E) modp=C mod p).
 36. The device for authenticating user's access rights toresources of claim 19, wherein the unique security characteristicinformation of the device is a key D of a Pohlig-Hellman key pair of amodulus p, a seed C′ for challenging data stored in the seventh memorymeans is Pohlig-Hellman-encryption of data K with the counterpart key Eof the key D (DE mod (p−1)=1, C′=K^(E) mod p), a random number rgenerated by the random number generation means is stored in the sixthmemory means, challenging data C stored in the fourth memory meanssatisfies the relation C=r^(E)C′ mod p, and the verification meansverifies the legitimacy of the response R stored in the fifth memorymeans by verifying that the quotient of R divided by r modulo p iscongruent with the data K modulo p (K mod p=r⁻¹ R mod p).
 37. The devicefor authenticating user's access rights to resources of claim 35,wherein proof support information t stored in the third memory meanssatisfies the relation t=D+F(p, e), where e denotes the user uniqueidentifying information stored in the second memory means, and F(x, y)denotes a two-variable collision-free function, and a response generatedby the response generation means is identical with the D-th power ofchallenging data C stored in the first memory means modulo p (R=C^(D)mod p).
 38. The device for authenticating user's access rights toresources of claim 36, wherein proof support information t stored in thethird memory means satisfies the relation t=D+F(p, e), where e denotesthe user unique identifying information stored in the second memorymeans, and F(x, y) denotes a two-variable collision-free function, and aresponse generated by the response generation means is identical withthe D-th power of challenging data C stored in the first memory meansmodulo p (R=C^(D) mod p).
 39. The device for authenticating user'saccess rights to resources of claim 37, wherein the response generationmeans further comprises: third calculation means for calculating thet-th power of challenging data C stored n the first memory means modulop, where t denotes the proof support information stored in the thirdmemory means (C^(t) mod p); fourth calculation means for calculating theF(p, e)-th power of the challenging data C modulo p (C^(F(p, e)) mod p),where e denotes the user unique identifying information stored in thesecond memory means and F(x, y) denotes a two-variable collision-freefunction; and fifth calculation means for calculating a response R bydividing the result calculated by the third calculation means by theresult calculated by the fourth calculation means modulo p (R=C^(t)C^(−F(p, e)) mod p).
 40. A device for authenticating user's accessrights to resources of claim 38, wherein the response generation meansfurther comprises: third calculation means for calculating the t-thpower of challenging data C stored in the first memory means modulo p,where t denotes the proof support information stored in the third memorymeans (C^(t) mod p); fourth calculation means for calculating the F(p,e)-th power of the challenging data C modulo p (C^(F(p, e)) mod p),where e denotes the user unique identifying information stored in thesecond memory means and F(x, y) denotes a two-variable collision-freefunction; and fifth calculation means for calculating a response R bydividing the result calculated by the third calculation means by theresult calculated by the fourth calculation means modulo p (R=C^(t)C^(−F(p, e)) mod p).
 41. The device for authenticating user's accessrights to resources of claim 39, further comprising: protect means forpreventing any data inside from being observed or being tampered withfrom the outside, confining the second memory means and the fourthcalculation means.
 42. The device for authenticating user's accessrights to resources of claim 40, further comprising: protect means forpreventing any data inside from being observed or being tampered withfrom the outside, confining the second memory means and the fourthcalculation means.
 43. The device for authenticating user's accessrights to resources of claim 19, wherein the unique securitycharacteristic information of the device is the private key X of anElGamal public key pair with a modulus p and a generator G, the publickey Y corresponding to X is the X-th power of G modulo p (Y=G^(X) modp), u denotes the z-th power of the modulo p (u=G^(z) mod p) for arandom number z, K′ denotes the product modulo p of the z-th power of Ymodulo p and a data K (K′=Y^(z) K mod p), the seventh memory meansretains the pair of u and K′, a random number r generated by the randomgeneration means is stored in the sixth memory means, C denotes theproduct modulo p of K′ and r (C=rK′ mod p), the fourth memory meansretains the pair C and u, and the verification means verifies thelegitimacy of the response R stored in the fifth memory means byverifying that the quotient of R divided by r modulo p is congruent withK modulo p (K mod p=r⁻¹ R mod p).
 44. The device for authenticatinguser's access rights to resources of claim 43, wherein proof supportinformation t stored in the third memory means satisfies the relationt=X+F(p, e), where e denotes the user unique identifying informationstored in the second memory means and F(x, y) denotes a two-variablecollision-free function, and a response R generated by the responsegeneration means is identical with the quotient of C divided by X-thpower of u modulo p (R=u^(−x)C mod p), where the pair C and u is thechallenging data stored in the first memory means.
 45. The device forauthenticating user's access rights to resources of claim 44, whereinthe response generation means further comprises: third calculation meansfor calculating the t-th power of the component u of the challengingdata pair stored in the first memory means modulo p, where t denotesproof support information stored in the third memory means (u^(t) modp); fourth calculation means for calculating the F(p, e)-th power of umodulo p (u^(F(p, e)) mod p), where e denotes the user uniqueidentifying information stored in the second memory means and F(x, y)denotes a two-variable collision-free function; and fifth calculationmeans for calculating a response R by dividing the product of the othercomponent C of the challenging data pair and the result calculated bythe fourth calculation means by the result calculated by the thirdcalculation means modulo p (R=Cu^(F(p, e)) u^(−t) mod p).
 46. The devicefor authenticating user's access rights to resources of claim 45,further comprising: protect means for preventing any data inside frombeing observed or being tampered with from the outside, confining thesecond memory means and the fourth calculation means.
 47. The device forauthenticating user's access rights to resources of claim 20, whereinthe unique security characteristic information of the device is thesignature key X of an ElGamal public key pair with a modulus p and agenerator G, the public key Y corresponding to X is the X-th power of Gmodulo p (Y=G^(X) mod p), a response stored in the fifth memory means isa pair of R and S, and the verification means verifies the legitimacy ofthe response R stored in the fifth memory means by verifying that theC-th power of G for the challenging data C stored in the fourth memorymeans is congruent modulo p with the product of the R-th power of Y andthe S-th power of R (G^(c) mod p=Y^(R)R^(S) mod p).
 48. The device forauthenticating user's access rights to resources of claim 47, whereinproof support information t stored in the third memory means satisfiesthe relation t=X+F(p, e), where e denotes the user unique identifyinginformation stored in the second memory means, and F(x, y) denotes atwo-variable collision-free function, and the response generation meansgenerates a response pair R and S by carrying out the following stepsof: generating a random number k; calculating R as the k-th power of Gmodulo p (R=G^(k) mod p); and calculating S according to the relationS=(C−RX) k⁻¹ mod (p−1).
 49. The device for authenticating user's accessrights to resources of claim 48, further comprising: protect means forpreventing any data inside from being observed or being tampered withfrom the outside, confining the second memory means and the fourthcalculation means.
 50. The device for authenticating user's accessrights to resources of claim 4, wherein the user unique identifyinginformation stored in the second memory means is a decryption key of acipher function, the proof support information stored in the thirdmemory means is an encryption of the unique security characteristicinformation of the device with the encryption key corresponding thedecryption key, and the first calculation means calculates the uniquesecurity characteristic information of the device by decrypting theproof support information stored in the third memory means with thedecryption key stored in the second memory means.
 51. The device forauthenticating user's access rights to resources of claim 50, whereinthe cipher function is of the asymmetric key cryptography, and the userunique identifying information is a component of the key pair of thecipher function.
 52. The device for authenticating user's access rightsto resources of claim 51, wherein the cipher function is of the publickey cryptography, and the user unique identifying information is theprivate key of the public key pair of the cipher function.
 53. Thedevice for authenticating user's access rights to resources of claim 50,wherein the cipher function is of the symmetric key cryptography, andthe user unique identifying information is the common secret key of thecipher function.
 54. The device for authenticating user's access rightsto resources of claim 8, wherein the verification device furthercomprises: eighth memory means for storing a clear data encryption ofwhich is the challenging data stored in the first memory means; andcomparison means for examining whether the clear data stored in theeighth memory means is identical with data inputted to the comparisonmeans, and wherein the verification means feeds the response stored inthe fifth memory means to the comparison means, receives the answer fromthe comparison means, and thereby the verification means verifies thelegitimacy of the response if and only if the received answer shows thatthe clear data stored in the eighth memory means is identical with thedata inputted to the comparison means.
 55. The device for authenticatinguser's access rights to resources of claim 19, wherein the verificationdevice further comprises: eighth memory means for storing clear dataencryption of which is the seed for challenging data stored in theseventh memory means; and comparison means for examining whether theclear data stored in the eighth memory means is identical with datainputted to the comparison means, and wherein the verification meansfeeds the de-randomized value of the response stored in the fifth memorymeans to the comparison means, receives the answer from the comparisonmeans, and thereby the verification means verifies the legitimacy of theresponse if and only if the received answer shows that the clear datastored in the eighth memory means is identical with the de-randomizedvalue of the response inputted to the comparison means.
 56. The devicefor authenticating user's access rights to resources of claim 8, whereinthe verification device further comprises: ninth memory means forstoring a value obtained by applying a one-way function to clear dataencryption of which is the challenging data stored in the seventh memorymeans; sixth calculation means for outputting a value calculated byapplying the one-way function to an inputted data; and comparison meansfor examining whether the value stored in the ninth memory means isidentical with data inputted to the comparison means, and wherein theverification means feeds the response to the sixth calculation means,receives a result from the sixth calculation means, feeds the result tothe comparison means and receives an answer from the comparison means,and thereby the verification means verifies the legitimacy of theresponse if and only if the received answer shows that the result of thecalculation by the sixth calculation means is identical with the datastored in the ninth memory means.
 57. The device for authenticatinguser's access rights to resources of claim 19, wherein the verificationdevice further comprises: ninth memory means for storing a valueobtained by applying a one-way function to clear data encryption ofwhich is a seed for the challenging data stored in the seventh memorymeans; sixth calculation means for outputting a value calculated byapplying the one-way function to inputted data, and comparison means forexamining whether the value stored in the ninth memory means isidentical with data inputted to the comparison means, and wherein theverification means feeds the de-randomized value of the response to thesixth calculation means, receives a result from the sixth calculationmeans, feeds the result to the comparison means and receives an answerfrom the comparison means, and thereby the verification means verifiesthe legitimacy of the response if and only if the received answer showsthat the result of the calculation by the sixth calculation means isidentical with the data stored in the ninth memory means.
 58. The devicefor authenticating user's access rights to resources of claim 8, whereinthe verification device further comprises: program execution means forexecuting code of a program encryption of which is the challenging datastored in the seventh memory means, and wherein the verification meansfeeds the response stored in the fifth memory means as program code tothe program execution means, and the program execution means correctlyfunctions if and only if the response generation means correctlydecrypts the challenging data which is an encryption of the code of theprogram, that is, the encryption of the program is correctly decrypted.59. The device for authenticating user's access rights to resources ofclaim 19, wherein the verification device further comprises: programexecution means for executing code of a program encryption of which isthe seed for challenging data stored in the seventh memory means, andwherein the verification means feeds the de-randomized value of theresponse stored in the fifth memory means as program code to the programexecution means, and the program execution means correctly functions ifand only if the response generation means correctly decrypts the seedfor challenging data which is an encryption of the code of the program,that is, the encryption of the program is correctly decrypted.
 60. Thedevice for authenticating user's access rights to resources of claim 8,wherein the verification device further comprises: program executionmeans; program storing means; and program decryption means, and whereinthe program storing means stores code of a program a part or all ofwhich is encrypted, an encryption of the decryption key for the partialor whole encrypted program code is the challenging data stored in theseventh memory means, the verification means feeds the response to theprogram decryption means, the program decryption means decrypts theprogram stored in the program storing means with the response as adecryption key, and the program execution means correctly executes thedecrypted program if and only if the response generation means correctlydecrypts the challenging data, that is, the decryption key fordecrypting the encryption of the program is correctly decrypted.
 61. Thedevice for authenticating user's access rights to resources of claim 19,wherein the verification device further comprises: program executionmeans; program storing means; and program decryption means, and whereinthe program storing means stores code of a program a part or all ofwhich is encrypted, an encryption of the decryption key for the partialor whole encrypted program code is the seed for challenging data storedin the seventh memory means, the verification means feeds thede-randomized value of the response to the program decryption means, theprogram decryption means decrypts the program stored in the programstoring means with the response as a decryption key, and the programexecution means correctly executes the decrypted program if and only ifthe response generation means correctly decrypts the seed for thechallenging data, that is, the decryption key for decrypting theencryption of the program is correctly decrypted.
 62. The device forauthenticating user's access rights to resources of claim 17, whereinthe proving device and the verification device are installed in a boxmaterial, and the verification device transfers the challenging datastored in the fourth memory means to the first memory means of theproving device and the proving device transfers the response generatedby the response generation means to the fifth memory means of theverification device without using a communication network outside of thebox material.
 63. A method for authenticating user's access rights toresources by verifying the legitimacy of a response generated fromchallenging data for proving the user's access rights, comprising: astep for storing the challenging data; a step for storing uniqueidentifying information of the user; a step for storing proof supportinformation which is a result of predetermined computations to theunique identifying information of the user and unique securitycharacteristic information; a step for generating a response byexecuting predetermined computations to the challenging data, the uniqueidentifying information of the user and the proof support information;and a step for verifying the legitimacy of the response by verifyingthat the response, the challenging data and the unique securitycharacteristic information satisfy a specific predefined relation.
 64. Acomputer program product for use with a computer, the computer programproduct comprising: a computer usable medium having computer readableprogram code means embodied in the medium for causing the computer toauthenticate user's access rights to resources by verifying thelegitimacy of a response generated from challenging data for proving theuser's access rights, the computer program product having: computerreadable program code means for causing the computer to store thechallenging data; computer readable program code means for causing thecomputer to store unique identifying information of the user; computerreadable program code means for causing the computer to store proofsupport information which is a result of predetermined computations tothe unique identifying information of the user and unique securitycharacteristic information; computer readable program code means forcausing the computer to generate a response by executing a predeterminedcomputations to the challenging data, the unique identifying informationof the user and the proof support information; and computer readableprogram code means for causing the computer to verify the legitimacy ofthe response by verifying that the response, the challenging data andthe unique security characteristic information satisfy a specificpredefined relation.
 65. A computer program product for use with acomputer, the computer program product comprising: a computer usablemedium having computer readable program code means embodied in themedium for causing the computer to generate a response from challengingdata, the legitimacy of which is to be verified for authenticatinguser's access rights, the computer program product having: computerreadable program code means for causing the computer to store thechallenging data; computer readable program code means for causing thecomputer to store unique identifying information of the user; computerreadable program code means for causing the computer to store proofsupport information which is a result of predetermined computations tothe unique identifying information of the user and unique securitycharacteristic information; and computer readable program code means forcausing the computer to generate a response by executing predeterminedcomputations to the challenging data, the unique identifying informationof the user and the proof support information.
 66. A program executioncontrol device for authenticating user's access rights to resources byverifying the legitimacy of a response generated from challenging datafor proving the user's access rights and controlling execution of aprogram based on the authentication of the user's access rights,comprising: first memory means for storing challenging data; secondmemory means for storing unique identifying information of the user;third memory means for storing proof support information which is aresult of predetermined computations to the unique identifyinginformation of the user and unique security characteristic informationof the device; response generation means for generating a response byexecuting predetermined computations to the challenging data, the uniqueidentifying information of the user and the proof support information;verification means for verifying the legitimacy of the response byverifying that the response, the challenging data and the uniquesecurity characteristic information satisfy a specific predefinedrelation; and continuation means for continuing execution of the programif the legitimacy of the response is verified.
 67. An informationprocessing apparatus for authenticating user's access rights to specificinformation processing resources by verifying the legitimacy of aresponse generated for proving the user's access rights and permittingaccess to the specific information processing resources, comprising:first memory means for storing challenging data; second memory means forstoring unique identifying information of the user; third memory meansfor storing proof support information which is a result of predeterminedcomputations to the unique identifying information of the user andunique security characteristic information; response generation meansfor generating a response by executing predetermined computations to thechallenging data, the unique identifying information of the user and theproof support information; verification means for verifying thelegitimacy of the response by verifying that tho response, thechallenging data and the unique security characteristic informationsatisfy a specific predefined relation; and permission means forpermitting access to the specific information processing resources ifthe legitimacy of the response is verified.